Rocket Pool

Permissionless decentralized Ethereum liquid staking protocol issuing rETH (non-rebasing, yield-accruing ERC-20). Node operators bond ETH (4 ETH post-Saturn One, previously 8 ETH LEB8) plus RPL collateral to run validators; no curated or permissioned operator set. rETH:ETH exchange rate is updated on-chain by the Oracle DAO (oDAO), a fixed-membership committee that reports Beacon Chain validator balances. Governance is dual-DAO: pDAO (RPL-weighted, on-chain post-Houston May 2024) governs protocol parameters and treasury; oDAO governs oracle operations and sensitive parameter changes. Saturn One (Feb 2026) introduced megapools, 4 ETH validators, RPL fee switch, and enhanced oDAO guardrails.

Sector evm_lst_decentralized

TVL $1.2B

Reviewed May 12, 2026

Factors 184

Categories 13

Risk score 18.5

DeploymentsEthereum · $1.2B

Risk profile at a glance

0 red · 4 yellow · 8 green

25 24 17 13 15 22 16 10 13 12 8 5 4

Categories & evidence

184 factors · 13 categories

Code & audits Green 18 25 of 25

RD-F-009 red Formal verification coverage No formal verification (Certora, Halmos, Kani, or equivalent) found for any Rocket Pool upgrade across the full protocol history. Web search of Certora SecurityReports GitHub and Certora.com/reports returned no Rocket Pool entries. No invariant specification published in the rocket-pool/rocketpool repository. This represents 0% FV coverage — red per taxonomy threshold. RD-F-001 yellow Audit scope mismatch Six+ audit engagements confirmed across all major upgrades. Saturn One (2026-02-18) covered by three firms: Sigma Prime, Cantina/Spearbit, Bailsec. Cantina and Bailsec reports confirmed published by Feb 16, 2026; Sigma Prime Saturn final report pending sign-off at that date (expected early February per governance forum). Both Cantina and Bailsec identified substantial findings requiring code changes that were addressed pre-launch. Audit PDFs inaccessible via WebFetch — commit SHA matching against deployed bytecode not achievable. Not red because three-firm pre-deploy audit with documented issue resolution is affirmatively confirmed; not green because commit SHA verification is not possible. RD-F-002 yellow Audit recency Saturn One audits (Cantina, Bailsec) confirmed published approximately early February 2026 (~77 days ago). Saturn One audit coverage is recent. However, Houston-specific contracts (not touched by Saturn One) were last comprehensively audited by Consensys Diligence in December 2023 and Sigma Prime in March 2024 — both >12 months ago at assessment date. Mixed recency across the full contract set drives yellow. RD-F-006 yellow Audit-to-deploy gap Saturn One: all three audit firms completed before Feb 18, 2026 launch — gap approximately 2–4 weeks (green). Houston: Consensys Diligence completed December 1, 2023; Houston launched May 6, 2024 — 156 days gap (red threshold). Sigma Prime Houston hotfix March 2024 to May 2024 launch is ~50 days (yellow-green). The 156-day Consensys Diligence to Houston launch gap drives overall yellow. RD-F-007 yellow Bug bounty presence & max payout Active Immunefi program with $150,000 maximum critical payout. Program last updated March 31, 2026 (post-Saturn One, indicating Saturn assets added). 77 assets in scope. $150K max is below the $500K green threshold; above $50K (yellow band). RD-F-014 yellow Reentrancy guard on external-calling functions Rocket Pool uses CEI (checks-effects-interactions) pattern rather than explicit OZ nonReentrant modifiers in core contracts. Consensys Diligence 2021 audit found a reentrancy issue that was addressed by implementing a custom reentrancy guard via state variable. No explicit nonReentrant import found in RocketTokenRETH.sol or megapool contracts via source inspection. Cannot confirm full reentrancy guard coverage across all 20+ contracts without tool run. RD-F-024 yellow Code complexity vs audit coverage Large codebase (20+ contracts, 48.7% Solidity per GitHub statistics). Houston Consensys Diligence engagement was explicitly time-boxed at 2x10 person-days with recommended follow-up — indicating audit scope was narrow relative to codebase size. Saturn One complexity (megapools, 4 ETH bonding, express/standard queues, RPL fee switch) is high; three firms engaged. No LOC/nSLOC count publicly available to compute exact ratio. RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts Immunefi program active with 77 assets, last updated March 31, 2026 (post-Saturn One Feb 18, 2026 launch — consistent with Saturn assets added post-launch). Discord summary Feb 16, 2026 confirms transition of bug bounty to Saturn assets was in progress. Indirect inference that Saturn megapool contracts were added to scope by March 31, 2026; no confirmed in-scope contract address list available to verify explicitly. RD-F-003 gray Resolved-without-proof findings Cannot verify per-finding resolution proof without PDF access to audit reports. All audit PDFs are inaccessible via WebFetch (binary). Governance forum confirms 'substantial findings requiring code changes' were addressed by Cantina and Bailsec before Saturn One launch, but specific finding IDs and resolution evidence are not available. Houston Consensys Diligence time-boxed engagement with recommended follow-up — no evidence follow-up occurred. RD-F-010 gray Static-analyzer high-severity count No published Slither, Mythril, or Semgrep output found for Rocket Pool contracts. Hardhat-based codebase (no Foundry) — no Foundry-native analysis tooling applicable. No static-analysis output in the github.com/rocket-pool/rocketpool repository. Cannot assess without tool run. RD-F-016 gray Divide-before-multiply pattern No published Slither divide-before-multiply output found. rETH exchange rate involves division (rETH:ETH ratio) but no specific divide-before-multiply finding in any accessible audit summary. Cannot assess without tool run. RD-F-020 n/a EIP-712 domain separator missing chainId EIP-712 domain separator is not used in Rocket Pool's core protocol contracts. No DOMAIN_SEPARATOR or EIP712 struct found in inspected contracts. Factor is not applicable to this protocol architecture. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned Rocket Pool does not use the OZ UUPS proxy pattern. Upgrade mechanism is a custom storage-registry pattern (RocketStorage). No _authorizeUpgrade function exists in the codebase. Factor is not applicable. RD-F-023 n/a Constructor calls _disableInitializers() Rocket Pool does not use OZ Initializable or the upgradeable proxy pattern requiring _disableInitializers(). Core contracts use constructor injection. Megapool minimal proxy clones use a custom onlyUninitialised guard rather than OZ's _disableInitializers pattern. Factor is not applicable to this architecture.

RD-F-004 green Audit count Minimum 6 distinct audit firms confirmed: Sigma Prime, Consensys Diligence, Trail of Bits, ChainSafe, Cantina/Spearbit, Bailsec. All major upgrades (launch, Atlas, Houston, Saturn One) covered by multiple firms. Green threshold is ≥2 firms.

RD-F-005 green Audit firm tier Tier-1 firms confirmed: Trail of Bits, Sigma Prime, Consensys Diligence, Cantina/Spearbit. Bailsec and ChainSafe are established named firms with public track records. No unknown or unranked boutique firms.

RD-F-008 green Ignored bounty disclosure No protocol-level exploits on record. Data-cache rekt.incidents: []. No post-mortem documents a disclosed vulnerability that was ignored before exploit. Rocket Pool proactively disclosed a Beacon Chain staking bug to other staking providers before the October 2021 planned launch — a positive security culture indicator.

RD-F-011 green SELFDESTRUCT reachable from non-admin path Source inspection of RocketTokenRETH.sol, RocketStorage.sol, RocketBase.sol, RocketMegapoolDelegate.sol, and RocketMegapoolFactory.sol found no selfdestruct opcode or function call. Protocol uses storage-registry upgrade pattern; no selfdestruct needed or present.

RD-F-012 green delegatecall with user-controlled target Source inspection confirms no user-controlled delegatecall. Minipool proxy delegatecalls to admin-registered delegate address. Megapool clones use OZ Clones.cloneDeterministic (EIP-1167 minimal proxy) — not a user-supplied target delegatecall. RocketBase access control gates all call targets via RocketStorage registry.

RD-F-013 green Arbitrary call with user-controlled target All external call targets are resolved via RocketStorage.getContractAddress() — trusted registry lookups, not user-supplied. No arbitrary call(target, data) with user-controlled args found in source inspection. The onlyLatestNetworkContract modifier in RocketBase gates all sensitive cross-contract calls.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard rETH is a standard ERC-20 with no callback hooks. RPL token is a standard ERC-20. No ERC-777, ERC-1155, or ERC-721 integrations in core staking path. Protocol does not use callback-enabled token standards in value-critical paths.

RD-F-017 green Mixed-decimals math without explicit scaling All core protocol arithmetic is ETH-denominated (18 decimals throughout — rETH, RPL, and ETH all use 18 decimals). No cross-decimal token arithmetic present. Three Tier-1 audit firms reviewed math logic across protocol history with no mixed-decimal finding reported.

RD-F-018 green Signed/unsigned arithmetic confusion Core contracts (0.7.6) use uint throughout value-critical paths — no signed integer arithmetic in exchange-rate or deposit logic found. Saturn One contracts (0.8.30) have built-in overflow/underflow protection. No signed/unsigned confusion finding in any accessible audit summary.

RD-F-019 green ecrecover zero-address return unchecked No ecrecover usage found in core contracts (RocketTokenRETH, RocketStorage, RocketBase, megapool contracts). Rocket Pool does not use EIP-712 permit or ECDSA signatures in its core staking/withdrawal path.

RD-F-022 green Public initialize() without initializer modifier No unguarded public initialize() found. Core contracts use constructor injection (no initialize() at all). RocketMinipoolDelegate's initialise() is protected by custom onlyUninitialised modifier: require(storageState == StorageState.Uninitialised) — equivalent to OZ initializer. Saturn One RocketMegapoolDelegate and RocketMegapoolFactory use constructor-based initialization with no initialize() function.

Governance & admin Green 9 24 of 24

RD-F-033 yellow Timelock on sensitive actions pDAO settings changes (3+ action types) go through 2-week governance delay. However: (1) Security Council can pause deposits, minipool creation, RPL price updates without timelock, (2) guardian bootstrap functions (modify settings, spend treasury) have NO timelock, (3) the explicit upgrade delay only applies to contract upgrades — not all sensitive actions. 3 of 5 action types are adequately timelocked; pause and bootstrap-settings paths are not. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Role separation: post-Oct 2025, guardian role no longer overlaps domains. Upgrade role: pDAO governance approves; oDAO registers into RocketStorage. Fee/reward settings: pDAO governance via RocketDAOProtocolProposals. Oracle (rETH rate, RPL price): oDAO via RocketNetworkBalances + RocketNetworkPrices. The remaining role-separation gap: oDAO holds BOTH upgrade-execution power (RocketStorage registration) AND oracle submission power. Upgrade != oracle is NOT cleanly satisfied at the oDAO level. Yellow because two of three role separations hold (upgrade != fee, fee != oracle) but oDAO still conflates upgrade-execution + oracle reporting. RD-F-040 yellow Emergency-veto multisig present Security Council can veto contract upgrades during the 1-week mandatory delay (RPIP-60), requiring 33% quorum. However, Security Council composition was not publicly established at Houston launch (guardian/team EOA was initial member). Formal multi-member structure developing but not confirmed as of assessment. Veto mechanism exists but effectiveness uncertain due to composition opacity. RD-F-042 yellow Admin has mint() with unlimited max RPL token inflationMintTokens() is publicly callable (not admin-gated) but controlled by a DAO-set rate. No hard supply cap exists. The inflation rate can be modified by pDAO governance (and guardian bootstrap functions). This is not a direct admin-callable unlimited mint, but the absence of a supply cap and guardian's ability to change the inflation rate via bootstrap functions creates meaningful risk. Saturn One plans to phase out inflation by late 2026. RD-F-047 yellow Governance token concentration (Gini) Gini coefficient for pDAO voting power = 0.695 (borderline, just below 0.7 yellow threshold). Top 10 wallets control 53.1% of voting power. Largest single holder: 8.4% voting influence. Nakamoto coefficient: 10. Square-root modifier on staked RPL reduces concentration vs raw token holdings. Governance analysis from DAO forum (September 2025). RD-F-167 yellow Deprecated contract paused but pause reversible by live admin Multiple deprecated deposit pool versions exist (v1.0, v1.1, v1.2). The guardian (team EOA) retains RocketStorage access and could theoretically re-register deprecated contracts. However, deprecated contracts not currently registered in RocketStorage cannot receive protocol calls. Old deposit pool versions have minimal current user interaction. Yellow due to guardian's unrevoked power over the storage registry which includes deprecated contract surfaces. RD-F-028 n/a Low-threshold multisig vs TVL The primary privileged role (guardian) is a single EOA, not a multisig — this factor's threshold evaluation does not apply to an EOA. The oDAO is a 18-member committee with 51% quorum (10/18), which is adequate for its scope. No Gnosis Safe identified as primary admin control layer. RD-F-030 n/a Hot-wallet signer flag Hot-wallet signer flag: post-Oct 2025 guardian disablement, there is no single privileged admin EOA. The former deployer EOA 0x0ccf14983364a7735d369879603930afe10df21e is no longer the RocketStorage guardian; its remaining transactions are routine non-privileged interactions. With no admin EOA holding unilateral protocol power, the hot-wallet/cold-wallet distinction does not apply. The pDAO governance path (RPL-staked voting + 1-week vote delay + 1-week upgrade delay) does not depend on any single signer.

RD-F-025 green Admin key custody type Admin key custody type: post-Oct 2025 (after permanent guardian disablement), Rocket Pool operates as a fully on-chain DAO + timelock system. The pDAO uses RPL-staked voting power with square-root modifier; mandatory 1-week vote delay + 1-week upgrade delay (RPIP-60). Standard protocol parameter changes route exclusively through this on-chain governance path. The Security Council retains pause-only powers; it cannot upgrade or change parameters unilaterally. Effective custodianship classification: DAO+timelock.

RD-F-026 green Upgrade multisig signer configuration (M/N) Upgrade multisig signer config: post-Oct 2025 guardian disablement, there is no single admin EOA. pDAO governance (RPL-staked voting, square-root modifier) is the upgrade path with 1-week vote delay + 1-week upgrade delay. The oDAO (18 members, 51% quorum = 10/18) handles oracle reporting and registers approved contract addresses in RocketStorage post-pDAO-vote — this is committee governance, not a Safe-style multisig. The pDAO Security Council holds pause-only powers, also a committee not a Safe. No 1-of-1 EOA controls the protocol. The 10/18 oDAO threshold for committee-style oracle/upgrade-execution is acceptable for an 18-member committee.

RD-F-027 green Single admin EOA [STAR CRITICAL] No single admin EOA. The deployer EOA 0x0ccf14983364a7735d369879603930afe10df21e was the RocketStorage guardian during bootstrap (2021-11-09 launch through Oct 2025), but the guardian role was PERMANENTLY DISABLED in the Aug-Oct 2025 period per the Protocol Development Roadmap Update (Oct 24, 2025): "we permanently disabled the protocol DAO guardian, completing the transition to full decentralised governance". The disablement was the culmination of a 3-year public process: RPIP-14 (2022), RPIP-33 (2023), Houston upgrade (May 2024 — established Security Council and on-chain pDAO), and the Aug-Oct 2025 final disablement. As of profile date 2026-05-04, no EOA holds privileged unilateral protocol control. Earlier HackMD/Prisma analysis cited as red was authored prior to the Oct 2025 disablement.

RD-F-029 green Multisig signers co-hosted oDAO members are 18 separate node operator organizations required to run validator infrastructure independently by design. No evidence of infrastructure co-hosting among oDAO members. Guardian is a single EOA (co-hosting N/A for EOA). oDAO architectural requirement is independent infrastructure for validator operation.

RD-F-031 green Signer rotation recency Signer rotation recency: the deployer EOA was the RocketStorage guardian from launch (2021-11-09) until permanent disablement in the Aug-Oct 2025 period. Permanent disablement of an admin role is the strongest possible rotation event — the role no longer exists rather than being held by a different signer. The 3-year public process (RPIP-14 -> RPIP-33 -> Houston -> Aug-Oct 2025 disablement) is the rotation event. No formal multisig now holds the role, so further rotation is unnecessary.

RD-F-032 green Timelock duration on upgrades RPIP-60 (Protocol Upgrade Guardrails) mandates a 1-week upgrade_delay between proposal approval and execution. Combined with the 1-week vote delay, total time from proposal to execution is ~2 weeks (336 hours). This substantially exceeds the 48-hour green threshold. Implemented at Saturn One (February 2026).

RD-F-034 green Guardian/pause-keeper distinct from upgrader Guardian/pause-keeper distinct from upgrader: post-Oct 2025 guardian disablement, the guardian role no longer exists. The pause/Security Council role (pDAO Security Council, separate body) is distinct from the upgrade path (pDAO governance + 1-week vote delay + 1-week upgrade delay, with oDAO registering approved upgrades into RocketStorage). Pause and upgrade are now held by different bodies with no overlap.

RD-F-036 green Flash-loanable voting weight pDAO voting power is anchored to staked RPL at a specific past block via merkle tree snapshot. RocketDAOProtocolVerifier uses block-level checkpointing. Vote weight = staked RPL at proposal creation block, not current liquid balanceOf. Staking RPL itself requires multi-block commitment. Flash loans cannot manipulate checkpoint-time balances.

RD-F-037 green Quorum achievable via single-entity flash loan Quorum is 15% of effective staked RPL (post-RPIP-63). Effective staked RPL is from active node operators with bonded ETH — a locked, non-transferable pool. Flash loans of liquid RPL cannot affect staked RPL at a past block checkpoint. The quorum metric is staked RPL specifically, which cannot be manipulated via flash loan.

RD-F-038 green Proposal execution delay < 24h Total delay from proposal creation to execution: ~2 weeks. Vote delay (voteDelayTime) = 1 week. Upgrade execution delay (RPIP-60) = 1 week. Total >= 336 hours, well above both the 48h green threshold and the 24h safe-harbor. Security Council veto requires 33% quorum during this window.

RD-F-039 green delegatecall/call in proposal execution without allowlist pDAO proposal execution targets a single hardcoded contract: getContractAddress('rocketDAOProtocolProposals'). This is an effective target allowlist of one permitted contract. No user-supplied delegatecall target. RocketDAOProtocolProposals contract exposes only governance settings, treasury, and Security Council management functions — all restricted by onlyExecutingContracts() modifier.

RD-F-041 green Rescue/emergencyWithdraw without timelock No rescue, emergencyWithdraw, sweep, or equivalent function found in RocketVault, RocketTokenRETH, or RocketTokenRPL. RocketVault withdrawals (withdrawEther, withdrawToken) are restricted to onlyLatestNetworkContract — only authorized protocol contracts, not an admin EOA directly. No admin drain path found.

RD-F-043 green Admin = deployer EOA after 7 days [STAR CRITICAL] Admin = deployer EOA after 7 days: the deployer EOA 0x0ccf14983364a7735d369879603930afe10df21e held the RocketStorage guardian role from 2021-11-09 launch until permanent disablement in the Aug-Oct 2025 period (per dao.rocketpool.net Roadmap Update, Oct 24, 2025: "we permanently disabled the protocol DAO guardian, completing the transition to full decentralised governance"). As of profile date 2026-05-04, no privileged admin role is held by the deployer EOA or any other EOA. The 3-year public process (RPIP-14 2022 -> RPIP-33 2023 -> Houston May 2024 -> Aug-Oct 2025 final disablement) was the formal decentralization path. Earlier HackMD/Prisma/The Block centralization analyses cited as evidence of red were authored before the Oct 2025 disablement.

RD-F-044 green Admin wallet interacts with flagged addresses No evidence of deployer EOA 0x0ccf14983364a7735d369879603930afe10df21e interacting with OFAC-listed, mixer-depositing, or known-rug addresses. Protocol has no rekt incidents. data-cache rekt.incidents: []. No flagged interactions documented in any OSINT source.

RD-F-045 green Constructor args match governance proposal Major upgrades (Houston, Saturn One) accompanied by RPIP specification documents with expected parameters. Community members performed upgrade verification (dao.rocketpool.net/t/verifying-1-4-contract-upgrade/3890). No documented mismatch between proposed and deployed constructor arguments. Three-firm audit process for Saturn One included parameter review.

RD-F-046 green Contract unverified on Etherscan/Sourcify All core Rocket Pool contracts listed in the profile are verified on Etherscan: RocketStorage (0x1d8f8f00), rETH (0xae78736c), RPL (0xd3352606), RocketDAOProtocol (0x0429Cdd8), RocketDAOProposal (0x37714D3a), RocketDAONodeTrusted (0xb8e7838), RocketVault (0x3bdc69c4), RocketNodeManager, RocketNodeStaking, Smoothing Pool. Full source publicly accessible.

Oracle & external dependencies Yellow 37 17 of 17

RD-F-059 red Oracle staleness check present Neither RocketTokenRETH.sol (consumer of rETH:ETH rate) nor any known consumer contract checks 'updatedAt > block.timestamp - maxStaleness' before using oracle values. RocketNetworkBalances.sol enforces minimum time BETWEEN submissions (95% of configured interval) but does NOT reject reads if the last update is old. Consumers use the last stored value unconditionally — if oDAO goes offline for days, the protocol silently uses a stale price without reverting. RocketNetworkPrices.sol imposes no staleness guard on RPL price reads either. This is the only red factor in Cat 3. RD-F-048 yellow Oracle providers used Rocket Pool uses one oracle provider type: the internal oDAO committee (14 trusted node operators as of Dec 2022; current count not live-queryable). oDAO members submit Beacon chain balance data via RocketNetworkBalances.submitBalances() and RPL/ETH price data via RocketNetworkPrices.submitPrices(). No Chainlink, Pyth, Redstone, or DEX-TWAP oracle is used for any core function. The 19 Chainlink addresses in the data-cache are confirmed pipeline artifacts unrelated to Rocket Pool. Single in-house committee oracle with no external provider SLA = yellow per taxonomy. RD-F-049 yellow Oracle role per asset For rETH:ETH rate: oDAO committee is sole primary oracle via RocketNetworkBalances; no secondary or fallback oracle exists. For RPL/ETH price: oDAO committee is sole primary via RocketNetworkPrices; no fallback. Consensus threshold = 51% of oDAO members (getNodeConsensusThreshold() = 0.51 ether). Single-path oracle for both critical assets with no documented fallback = yellow per taxonomy ('primary only with no fallback documented'). RD-F-050 yellow Dependency graph (protocols depended upon) Dependencies enumerated: (1) oDAO committee for Beacon chain balance reporting — critical, non-redundant, enables rETH:ETH rate; (2) oDAO committee for RPL/ETH price — critical, non-redundant, enables collateral validation; (3) Ethereum Beacon Deposit Contract (0x00000000219ab540356cBB839Cbe05303d7705Fa) for new validator registrations — moderate, existing validators unaffected; (4) RocketStorage registry for all contract address resolution — critical but immutable, not upgradeable. No external DeFi protocol dependencies in core contracts. oDAO's off-chain RPL price source is 1inch (off-chain only; no on-chain 1inch call). Single non-redundant oDAO dependency for both critical price paths = yellow. RD-F-051 yellow Fallback behavior on oracle failure If oDAO fails to reach consensus on submitBalances, the rETH:ETH rate does not update — it silently remains at the last-submitted value. RocketTokenRETH.getEthValue() calls RocketNetworkBalances without any staleness check. No automatic fallback to secondary oracle. No circuit-breaker that pauses the contract if the rate is too old. Same pattern for RPL/ETH price (last-known-price used if oDAO fails). Fallback behavior = last-known-price (stale risk) = yellow per taxonomy. RD-F-052 yellow Breakage analysis per dependency oDAO balance failure: rETH:ETH rate freezes; staking rewards stop accruing; users can redeem at stale rate — not immediately harmful but damages LST peg mechanics. oDAO collusion (>51%): rate manipulation capped at 2%/update by RPIP-61 but no cap across successive updates — slow drain risk across multiple intervals. oDAO RPL price failure: incorrect node operator collateral validation (incorrect liquidations or under-collateralized operations). Beacon Deposit Contract failure: new validator registrations halt, existing TVL unaffected. RocketStorage corruption: full system halt. Partial analysis covering major deps without a single formal breakage document = yellow. RD-F-057 yellow Circuit breaker on price deviation For rETH:ETH balance submissions: RPIP-61 (implemented in Saturn One) adds a 2% per-update max delta cap via RocketNetworkBalances._updateBalances() — enforces require(newRatio - currentRatio <= maxChange) where maxChangePercent = 2% (floor 1%). This is a partial circuit breaker but only constrains per-submission rate movement, not absolute deviation from a reference. For RPL/ETH price submissions: NO circuit breaker exists — RocketNetworkPrices.sol accepts consensus output without any deviation check from prior price. Mixed state: rETH has partial guardrail, RPL has none = yellow. RD-F-058 yellow Max-deviation threshold (bps) For rETH:ETH: 200 bps (2%) per-update cap on rETH rate change via RPIP-61 / RocketDAOProtocolSettingsNetwork.getMaxRethDelta() = 0.02 ether. Floor is 100 bps (1%). This is a per-update movement cap, not an absolute deviation band from a reference price. For RPL/ETH: no deviation threshold configured — unconstrained. Within taxonomy threshold for rETH (≤2000 bps = green) but RPL has none, and the rETH cap is per-update not absolute. Overall yellow due to RPL gap. RD-F-054 n/a TWAP window duration Rocket Pool does not use any DEX-TWAP oracle for any price-critical function. rETH:ETH rate is oDAO-committee-submitted accounting data. RPL/ETH price is oDAO-committee-submitted (off-chain 1inch aggregation by oDAO nodes, submitted on-chain — no on-chain TWAP call by protocol contracts). No OracleLibrary.consult(), no observe(), no TWAP window parameter exists in any Rocket Pool contract. RD-F-055 n/a Oracle pool depth (USD) Rocket Pool does not use a DEX pool as an on-chain oracle. rETH:ETH is oDAO-committee-reported; RPL/ETH is oDAO-committee-reported (off-chain 1inch aggregation as data input). No DEX pool depth is relevant to on-chain oracle manipulation risk in Rocket Pool's own contracts. RD-F-056 n/a Single-pool oracle (no medianization) No DEX pool oracle is used in Rocket Pool's on-chain contracts. The RPL/ETH oDAO input is derived off-chain from 1inch (combining two Uniswap V3 pools), but the on-chain contracts don't read from any single pool directly — they accept oDAO consensus submissions. Factor N/A because the protocol does not use an on-chain DEX pool oracle to medianize. RD-F-060 n/a Chainlink aggregator min/max bound misconfig Rocket Pool does not use Chainlink price feeds in any core contract. Confirmed by source inspection of RocketNetworkBalances.sol, RocketNetworkPrices.sol, RocketTokenRETH.sol, and RocketDepositPool.sol — none import any Chainlink interface (AggregatorV3Interface, latestRoundData, latestAnswer). The 19 Chainlink addresses in the data-cache are confirmed pipeline artifacts from a general fee scan unrelated to Rocket Pool. RD-F-061 n/a LP token balanceOf used for pricing Rocket Pool does not use LP token balanceOf for any pricing calculation. The rETH:ETH rate is derived from oDAO-submitted Beacon chain accounting values (totalETHBalance / totalRETHSupply). No LP token is involved in any price path in any core contract. RD-F-062 n/a External keeper/relayer not redundant Rocket Pool does not depend on a keeper or relayer for core protocol functionality. The oDAO committee members independently operate trusted nodes that submit transactions via submitBalances() and submitPrices() — this is a multi-party committee submission pattern, not a single-keeper dependency. No Gelato, Chainlink Automation, or custom keeper interface exists in core contracts. RD-F-180 n/a Immutable oracle address [★ CRITICAL-CANDIDATE — PD-017 tracked] Rocket Pool does not use any external oracle service (Chainlink, Pyth, UMA, Redstone, etc.) whose address could be marked 'immutable'. The oracle function is the internal oDAO committee system using RocketNetworkBalances.sol and RocketNetworkPrices.sol. Both contracts retrieve all sibling contract addresses dynamically via getContractAddress() from the RocketStorage registry — none are immutable. No external oracle address field exists in any core contract. F180 requires an external oracle to potentially be immutable; Rocket Pool has no external oracle. Score: not_applicable. Flagged per PD-017: F180 [★ CRITICAL-CANDIDATE] is not_applicable for rocket-pool — orchestrator can record zero F180 promotion candidates for this protocol. RD-F-181 n/a Permissionless-pool lending oracle Rocket Pool is an ETH liquid staking protocol, not a lending protocol. It has no lending markets, no borrow functionality, and no mechanism to accept or reject prices from permissionlessly-created DEX pools. Per process-learnings: 'Factor definition makes it N/A for DEX/non-lending protocols by construction.' Same principle applies to LST protocols — no permissionless pool lending oracle can exist in a protocol with no lending.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) rETH:ETH exchange rate is computed as (totalETHBalance * rethAmount) / totalRETHSupply inside RocketTokenRETH.getEthValue(). Both inputs are internal Rocket Pool state submitted by oDAO consensus — NOT from any DEX spot price, TWAP oracle, or external price feed. No slot0(), getReserves(), or consult() call exists in any price-critical code path. RPL/ETH for collateral uses oDAO committee input (submitted via submitPrices), not spot DEX. This is the [★ CRITICAL] factor — confirmed GREEN.

Economic risk Green 17 13 of 13

RD-F-064 green TVL concentration (top-10 wallet share) Single-asset (ETH) concentration is 100% by design — Rocket Pool accepts only ETH deposits. Chain concentration: 100% Ethereum mainnet. Depositor-address concentration: rETH circulating supply ~340,000 tokens distributed across DeFi (Curve, Balancer, Uniswap, Aave integrations). No known single dominant depositor. Top-10 holder share not quantifiable via public tools (Dune inaccessible), but broad distribution presumed from market cap (~$900M+) and DeFi integration breadth. GREEN at medium confidence. Single-chain concentration is appropriate by LST design, not an addressable risk.

RD-F-067 green Historical bad-debt events Zero protocol-level bad debt or socialized rETH loss events recorded in ~4.5 years of operation across ~27,800 validators. Slashing loss absorption hierarchy: (1) node operator ETH bond; (2) RPL collateral auctioned; (3) remainder socialized across rETH holders. No RPL auction for slashing has been triggered. No socialized rETH loss has occurred. Data-cache rekt.incidents: []. Beacon chain slashing events affecting Rocket Pool validators have been isolated and absorbed within operator bonds.

Operational history Green 15 15 of 15

RD-F-089 red Insurance coverage active TVL $1.17B. No active third-party coverage on Nexus Mutual, Unslashed, Sherlock, or equivalent. Immunefi is a pre-exploit bug bounty program, not an insurance product. $150K Immunefi max payout covers 0.013% of current TVL — effectively zero proportionality. Nexus Mutual and Sherlock do not offer proportional cover for $1B+ LST TVL pools. Structural gap consistent with all LST protocols at this scale. Pre-marked RED in profile.meta.json. RD-F-084 yellow TVL stability (CoV over 90d) DeFiLlama historical TVL API returns 403 (persistent structural gap per process-learnings). CoV estimated from profile data: TVL declined from ~$1.7B (mid-2025) to ~$1.17B at 2026-05-04 (30-day change -1.42%; 1-day +0.62%). 90-day trailing window (Feb–May 2026) shows stabilization. Estimated CoV in 0.10–0.20 range based on available data points. Confidence: medium. Scored yellow (0.15–0.35 range) pending programmatic re-run with daily series. Collection mode: hybrid. RD-F-088 yellow Re-deployed to new addresses in last year Saturn One (v2.0) deployed to mainnet 2026-02-18 — within the trailing 12 months. Introduced megapool factory and new Saturn-specific contract versions registered in RocketStorage. This is a documented, planned, governance-approved upgrade (RPIP-55) with community communication and a dedicated migration site at saturn.rocketpool.net. Per methodology: yellow = redeployment with documented migration path and user communication. Not a stealth or distressed redeployment. RD-F-081 gray Post-exploit response score No prior protocol exploits. Factor grades post-exploit response quality on most recent incident. Gray = no prior incidents (N/A). The 2022 oDAO node compromise is classified as an operational incident and excluded from this factor's scope. RD-F-082 gray Post-mortem published within 30 days No prior protocol exploits. Factor grades whether post-mortem was published within 30 days of most recent incident. Gray = no prior incidents (N/A). Informational: the 2022 oDAO node incident produced a public response post-mortem, which is a positive operational indicator. RD-F-083 gray Auditor re-engaged after last exploit No prior protocol exploits. Factor grades whether an auditor was re-engaged after the most recent exploit. Gray = no prior exploits (N/A). RD-F-085 gray Incident response time (minutes) No prior protocol exploits. Factor grades time from exploit tx to first official team statement. Gray = no prior incidents (N/A).

RD-F-076 green Protocol age (days) Protocol launched mainnet 2021-11-09 (rETH deploy tx 0x4f3f14803e358840c61bfb5f004c39920a6e15b9c5d6636fc6e9310eab772a91). Days from launch to 2026-05-04: 1,272 days (~42 months). Threshold: green >= 365 days. Well within green band.

RD-F-077 green Prior exploit count Zero protocol-level smart contract exploits confirmed. Hacksdatabase batches 1–24: 0 direct Rocket Pool entries (rETH/RPL appear only as peripheral references in Conic, Yearn, Makina incidents). Data-cache rekt.incidents: []. DeFiLlama hacks: 0. Web search confirms no Rekt leaderboard entries. May 2022 oDAO node compromise ($28K, developer machine) and Jan 2024 X account hijack are classified as operational/social-engineering incidents, not protocol exploits. RPIP-63 Immunefi bounties (2 high, 1 medium) patched pre-exploitation in Oct 2024. Score: green = 0 prior protocol exploits.

RD-F-078 green Chronic-exploit flag (≥3 incidents) Chronic exploit pattern (PD-022): RP has 0 protocol-level smart contract exploits, well below the >=3 threshold. No CHRONIC flag triggered. Hacksdatabase + Rekt + DefiLlama all confirm zero direct incidents over 42-month operating history.

RD-F-079 green Same-root-cause repeat exploit Repeat root-cause: not applicable; with 0 prior protocol exploits there are no root-cause clusters to compare. Methodology: no incidents = green.

RD-F-080 green Days since last exploit Days-since-last-exploit: no protocol-level exploit has occurred in 42-month operating history (since 2021-11-09 launch). Methodology: no incidents = green (equivalent to >24 months).

RD-F-086 green Pause activations (trailing 12 months) No evidence of deliberate protocol pause activations in the trailing 12 months. Saturn One (2026-02-18) was a planned upgrade, not a pause event. Rocket Pool's Security Council (Houston addition) is empowered to pause; no activation events documented. Score: green = 0 pauses. Note: RocketStorage architecture means no single protocol-wide pause switch; sub-contract pause capabilities need code-security-analyst enumeration.

RD-F-087 green Pause > 7 consecutive days No protocol-level pause events documented in trailing 12 months. The May 2022 oDAO node incident was an operational compromise of a single oDAO member (not a protocol pause); rETH operations continued uninterrupted.

RD-F-166 green Deprecated contracts still holding value Old RPL Token (0xb4efd85c19999d84251304bda99e90b92300bd93) is the primary deprecated contract. Etherscan confirms ~$223 total residual balance (August 2025 data point), ~7,917 remaining holders who have not migrated. Well below the $100K threshold for yellow. Migration announced November 2021 with no forced deadline; residual represents stranded user funds, not protocol-controlled value. No other deprecated contracts identified as holding significant value above $100K threshold. RocketStorage upgrade pattern retires contract names by reassigning registry pointers — stale versions may hold residual ETH, but code-security-analyst must enumerate. Scored green on available evidence; flagged for code-security-analyst follow-up.

Real-time signals Green 6 22 of 22

RD-F-109 yellow Social-media impersonation scam spike Signal applicable: Rocket Pool is a top-20 DeFi brand by recognition. January 2024 X account compromise used rocketpool-migrating.net phishing domain — confirmed coordinated impersonation campaign executed against brand. X account compromised at ~6:30 pm UTC 2024-01-17; posts removed ~7:05 pm UTC then reposted. Recovery within ~35 minutes. As of 2026-05-04, no new coordinated campaign documented but brand recognition implies a baseline of 1–2 impersonation accounts at any time is expected. September 2023 phishing event separately demonstrated rETH/stETH holders are active targets ($24M stolen). Scored yellow: prior confirmed campaign establishes elevated impersonation risk; no active coordinated campaign confirmed today. RD-F-090 gray Mixer withdrawal → protocol interaction Signal applicable: Rocket Pool is a major ETH staking destination. No confirmed direct mixer-funded wallet interacting with Rocket Pool core contracts in public data. Yearn rekt3 (Apr 2023) pre-exploit commentary noted unusual LST movements adjacent to Rocket Pool but this refers to attacker assets in transit, not a confirmed mixer → RP interaction. T-09 phase 2 signal; CTI feed required for production. Signal not firing based on available public evidence. RD-F-091 gray Partial-drain test transactions No partial-drain test transactions documented against Rocket Pool core contracts in public data or hack database. Protocol has no Rekt leaderboard entries. Pattern matcher not deployed at T-10. Signal not applicable in current static assessment posture. RD-F-092 gray Unusual mempool pattern from deployer wallet Deployer EOA 0x0ccf14983364a7735d369879603930afe10df21e still holds ~$17K ETH balance (Etherscan, Feb 2026). Guardian role scope reduced post-Houston (2024-05-06). No anomalous deployer wallet transaction sequences documented in public data. Baseline behavioral model not established; mempool monitoring not configured. Signal applicable in principle but not wired up. RD-F-093 gray Abnormal gas-price willingness from attacker wallet No documented abnormal gas-bidding from flagged wallets on Rocket Pool core contracts. Mempool monitoring not configured at T-10. Signal applicable but not wired up for this protocol. RD-F-094 gray New contract with similar bytecode to exploit template No public documentation of exploit-template-similar contracts deployed against Rocket Pool contracts. Bytecode similarity index not maintained for Rocket Pool contract class at T-10. Signal applicable but not wired up. RD-F-095 gray Known-exploit function-selector replay No documented selector-replay attack attempts against Rocket Pool core contracts. Selector pattern index not maintained for RP at T-10. Signal applicable but not wired up. RD-F-096 gray New ERC-20 approval to unverified contract from whale September 2023 phishing event ($24M stolen from a crypto whale) involved victim signing an Increase Allowance approval to an attacker-controlled contract for rETH/stETH. This was a user-level phishing event, not a protocol-level unverified approval triggered by the protocol's on-chain interactions. No protocol-level unverified-contract approval event documented. Whale list and monitoring not configured at protocol level. RD-F-097 gray Sybil surge of identical-pattern transactions No documented sybil surge in available public data. pDAO uses square-root RPL voting weight which provides natural sybil resistance. Clustering algorithm not deployed at T-10. Signal applicable but not wired up. RD-F-102 gray Admin/upgrade transaction in mempool Signal applicable: pDAO Security Council and oDAO have admin roles; Saturn One introduced mandatory timelock delays for protocol upgrades (visible as queued execution transactions). Mempool monitoring not configured at T-10 static assessment. Saturn One mandatory upgrade delays would trigger suppression rule (timelocked execution is pre-announced). No unannounced admin transactions detected in available public data. RD-F-103 n/a Bridge signer-set change proposed/executed Structural N/A: Rocket Pool is not a bridge protocol and does not operate bridge contracts. rETH exists on L2s only via canonical third-party bridges (Optimism Bridge, Arbitrum Bridge) not governed or operated by Rocket Pool. Profile meta.json has_bridge_surface: false, is_a_bridge: false. Factor does not apply. RD-F-104 n/a Stablecoin depeg >2% on shared-LP venue Standard stablecoin depeg signal does not apply: Rocket Pool holds ETH (not stablecoins) as primary collateral. RPL is a collateral token, not a stablecoin. No stablecoin in Rocket Pool's primary dependency graph meets the ≥5% TVL exposure threshold required by T-09 §4.2 suppression rule. rETH is non-rebasing LST with monotonically increasing exchange rate — not a stablecoin subject to depeg. RD-F-105 gray DNS/CDN/frontend hash drift Signal applicable: rocketpool.net is the primary frontend (registered 2017-05-16 via Amazon Registrar; expiry 2027-05-16). January 2024 X/Twitter account compromise redirected users to rocketpool-migrating.net — this was an X account compromise plus separate phishing domain, NOT a DNS hijack of rocketpool.net itself. Frontend JS hash monitoring and DNS drift detection not deployed at T-10. No unscheduled DNS drift of rocketpool.net detected in available data. RD-F-106 n/a Cross-chain bridge unverified mint pattern Structural N/A: Rocket Pool does not operate cross-chain bridge contracts. rETH bridging to L2 is via canonical third-party bridges not governed by Rocket Pool. Profile meta.json cross_chain: false, has_bridge_surface: false. RD-F-107 gray Admin EOA signing from new geography/device Off-chain signing telemetry not available; requires protocol team opt-in. Signal practically always gray per taxonomy methodology note. No team opt-in documented for Rocket Pool. pDAO Security Council and oDAO member wallets have admin roles but no device/geography telemetry is accessible. RD-F-108 gray GitHub force-push to sensitive branch Signal applicable: github.com/rocket-pool/rocketpool is the primary smart contracts repo; last commit 2026-04-17 per data-cache. GitHub monitoring not configured at T-10. No public reports of unauthorized force-push or sensitive-branch push in available data. RD-F-182 gray Security-Council threshold reduction (RT) Signal applicable: Rocket Pool has a pDAO Security Council introduced in Houston (2024-05-06) with veto powers over protocol upgrades. A threshold reduction (e.g., 3/5 → 2/5) in the SC Safe would match the Drift Protocol pattern (3/5 → 2/5 SC change + timelock removal, 6 days before $285M DPRK exploit). Saturn One introduced mandatory delays with SC veto during delay period. However: (1) SC Safe multisig contract address has not been publicly resolved in the protocol profile — governance-admin-analyst must enumerate from RocketStorage; (2) without the SC address, monitoring cannot be configured. No SC threshold reduction events documented in public data. Signal applicable but cannot be wired without SC address resolution.

RD-F-098 green TVL anomaly — % drop in <1h Signal applicable: Rocket Pool TVL ~$1.175B on Ethereum mainnet, fully monitorable via DeFiLlama. TVL 30d change: -1.42% (gradual correlated market decline); 1d change: +0.62%. Current TVL is approximately 0.988x 30d baseline. T-09 threshold: TVL_now / TVL_baseline_30d < 0.70 within 60-min window. Threshold not breached — far below 30% drop threshold. Signal not firing.

RD-F-099 green Oracle price deviation >X% from secondary Signal applicable: rETH:ETH exchange rate is reported by oDAO via RocketNetworkBalances; rate deviation from independently derivable secondary (Curve/Uniswap rETH spot) is the firing condition. Saturn One RPIP-61 balance-submission guardrail (implemented 2026-02-18) constrains the oDAO delta per submission window, significantly reducing the manipulation attack surface. No evidence of oDAO collusion or abnormal rate submissions as of 2026-05-04. Signal not firing; architectural guardrail is active.

RD-F-100 green Flash loan >$10M targeting protocol tokens Signal applicable: RPL flash loans exist on Aave/Uniswap. However, pDAO uses effective staked RPL (not spot balance) with square-root modifier for voting — this provides structural resistance to flash-loan governance attacks (staked RPL cannot be flash-borrowed; only liquid RPL is flash-loanable but does not count for governance). No documented flash-loan attack targeting Rocket Pool core contracts. Signal not firing.

RD-F-101 green Large governance proposal queued Signal applicable: Rocket Pool has fully on-chain pDAO governance via RocketDAOProposal at 0x37714D3a9D3b3091220D68184e3AFEC4Ec911368 post-Houston (2024-05-06). Saturn One upgrade completed 2026-02-18 with mandatory delays satisfied. No public reports of suspicious or flagged-pattern governance proposals in current window. oDAO proposals via 0xb0ec3F657ef43A615aB480FA8D5A53BF2c2f05d5 also reviewed — no anomaly. Signal not firing.

RD-F-110 green Unusual pending/executed proposal ratio Signal applicable: pDAO on-chain governance via RocketDAOProposal has measurable proposal activity. No anomalous governance proposal ratio documented in public data. Post-Saturn One governance activity appears normal. Signal not firing.

Dev identity & insider risk Green 3 16 of 16

RD-F-117 yellow ENS/NameStone identity bound to deployer Deployer 2 (0x0ccf14983364a7735d369879603930afe10df21e) does not have a confirmed bound ENS name. Etherscan shows a public name tag 'Rocket Pool: Deployer 2' providing protocol-affiliation labeling, but this is an Etherscan-applied tag, not an on-chain ENS binding. The 'darcius' GitHub handle is publicly linked to David Rugendyke and the rocket-pool org, but the chain between 'darcius' and the deployer address is not formally on-chain-attested. Weaker identity binding than ENS; scored yellow. RD-F-119 gray Commit timezone consistent with stated geography Team publicly stated as Brisbane, Australia (UTC+10). GitHub commit graphs are JS-rendered and not accessible via WebFetch per process-learnings. Timezone analysis cannot be performed without GitHub API commit-hour data at OSINT tier. No timezone anomaly reported by any security researcher. Gray per methodology. RD-F-122 gray Contributor paid to DPRK-cluster wallet No on-chain payment streams to team members are publicly assessable at OSINT tier. Rocket Pool Pty Ltd (Australian company) handles payroll off-chain. Per methodology, this factor cannot be meaningfully assessed at OSINT tier for companies with off-chain payroll structures. No public reports link any Rocket Pool team payment to a DPRK cluster. Gray per methodology. RD-F-184 gray Real-capital social-engineering persona No curator-flagged real-capital social-engineering persona behavior observed. Rocket Pool contributors have 9+ year public histories; the protocol was founded in 2016-2017 making any recent persona-building implausible given the founding team's continuous visible presence. No pattern of a new 'external integrator' building a large capital position in a short timeframe identified. Per F184 definition (M-only OSINT, P1) and process-learnings: 'Mark GRAY — the Drift comparator (6-month capital-deposit persona build-up) is the reference pattern; don't try to confirm absence of something that by design leaves no public trace.' Gray by methodology, not evidence deficit.

RD-F-111 green Team doxx status Founders David Rugendyke and Darren Langley are fully doxxed with real names, LinkedIn profiles, university degrees (Southern Cross Univ BSc CS; Univ of Kent BSc CS), prior employer histories, and Devcon conference appearances. Core engineers Kane Wallmann and Joe Clapis are semi-doxxed (real names public via GitHub org and team pages). No anonymous or pseudonym-no-track-record team members at leadership level. oDAO members are institutional entities with public accountability surfaces.

RD-F-112 green Team public accountability surface Rugendyke: BSc CompSci (Southern Cross Univ 2001), Clemenger BBDO Brisbane (2006-2011), George Patterson Y&R (2013-2017), Rocket Pool founder since 2017, YouTube interviews on record. Langley: BSc CompSci (Univ of Kent 1998-2002), Civic Ledger and Victoria State Govt Education employer history, Devcon SEA 2024 speaker, active X/Twitter presence. GitHub org has 6 public members. oDAO includes Etherscan, Coinbase, Consensys Codefi, Blockdaemon, Bankless — all institutions with deep public accountability.

RD-F-113 green Team other-protocol involvement history Rugendyke: sole focus on Rocket Pool since 2017; no prior rug or deceptive project. Langley: prior roles at Civic Ledger and Victoria State Government Education; no adverse linked projects. Wallmann and Clapis: Rocket Pool appears to be primary protocol involvement with no adverse linked projects found. Web search for 'Rocket Pool rug exit scam David Rugendyke' returned zero Rocket Pool-specific adverse results. Rekt leaderboard: 0 incidents.

RD-F-114 green Deployer address prior on-chain history Deployer 2 (0x0ccf14983364a7735d369879603930afe10df21e) shows 415 transactions: protocol contract deployments and Rocket Pool Bootstrap function interactions. Labeled 'Rocket Pool: Deployer 2' and 'Contract Deployer' by Etherscan — public name tag confirms protocol affiliation. No prior-rug-linked contracts in visible history. Normal long-tenured developer activity pattern.

RD-F-115 green Prior rug/exit-scam affiliation No team member linked to a prior rug, exit scam, or fraudulent protocol. Rekt leaderboard shows 0 Rocket Pool incidents. Web search for 'Rocket Pool rug exit scam' returned only generic educational content about rug pulls — zero Rocket Pool-specific adverse results. Protocol operational since 2021 with no known insider misconduct.

RD-F-116 green Contributor tenure at admin-permissioned PR GitHub last_commit_date: 2026-04-17 (data-cache.json). The rocket-pool GitHub org has been active since 2017 (9+ years). Public org members (darcius, darrenlangley, jclapis, kanewallmann) show multi-year commit histories. No short-tenure contributor with admin access identified. Most recent admin-permissioned code changes occur in a mature repository driven by founding team members.

RD-F-118 green Handle reuse across failed/rugged projects The 'darcius' handle (David Rugendyke) has been exclusively associated with Rocket Pool since 2016-2017. No prior rugged or failed project found under this handle or any variant. Darren Langley's @langerstwit and @darrenlangley handles show consistent Rocket Pool/Ethereum association since at least 2018. No handle reuse across adverse projects found for any identified team member.

RD-F-120 green Video-off/voice-consistency flag David Rugendyke appeared on-camera in the 'Rocket Pool — Meet the Nation' YouTube interview. Darren Langley spoke at Devcon SEA (Bangkok, 2024) with public on-camera presentation. Team members have participated in public AMAs and conference presentations. No video-off or voice-consistency concerns documented in any source.

RD-F-121 green Contributor OSINT depth score Rugendyke: 5/5 — BSc CS, 10+ years prior employment confirmed, 9+ years Rocket Pool founder, Medium blog (1.6K followers), YouTube interviews, LinkedIn, GitHub. Langley: 5/5 — BSc CS, Civic Ledger and Victoria Govt employer history, Devcon speaker, LinkedIn, X/Twitter, Medium since 2018. Wallmann/Clapis: 3/5 — real names public, multi-year GitHub histories, but limited external biographical depth. Overall team OSINT depth score: 4/5.

RD-F-123 green Sudden admin-rescue/ACL change without discussion The deployer EOA held the RocketStorage guardian role during bootstrap (2021-11-09 to Aug-Oct 2025). This was a publicly known and documented centralization concern. Its resolution was the subject of multi-year public governance: RPIP-14 (2022, temporary reassignment), RPIP-33 (2023, on-chain pDAO design), Houston upgrade (May 2024, Security Council creation). The guardian was permanently disabled in Aug-Oct 2025 per the official governance roadmap update: 'we permanently disabled the protocol DAO guardian, completing the transition to full decentralised governance.' No evidence of any undisclosed admin-rescue or ACL change absent governance discussion in the last 180 days. All current pDAO protocol changes route through the on-chain optimistic fraud-proof system with mandatory RPIP forum discussion.

RD-F-124 green Deployer wallet mixer-funded within 30 days Deployer 2 (0x0ccf14983364a7735d369879603930afe10df21e) was funded by 0x89Af09B5...CA0BEa6F0 approximately 5 years 55 days before the 2026-05-04 assessment date, placing the funding event in approximately March 2021 — roughly 8 months before the November 9, 2021 mainnet launch. The 30-day window specified by RD-F-124 does not trigger. No Tornado Cash, Railgun, or other mixer interaction appears in the 415-transaction history. The funding source does not carry a CEX label on Etherscan but also shows no mixer label. 30-day window: PASS.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No OSINT evidence links the deployer address, any named team member, or any oDAO member to DPRK/Lazarus cluster. Web search 'Rocket Pool DPRK Lazarus North Korea developer' returns zero Rocket Pool-specific results — only generic Lazarus/DPRK threat actor articles. No OFAC SDN match for the deployer address, team names (Rugendyke, Langley, Wallmann, Clapis), or named oDAO entities. Team is Australia-based (Brisbane) with multi-year verified employer and academic histories inconsistent with DPRK-implant profile. oDAO includes OFAC-compliant institutions (Coinbase, Etherscan, Consensys). No Lazarus-labeled wallet visible in deployer transaction history.

Fork / dependency lineage Yellow 22 10 of 10

RD-F-133 yellow Dependency manifest uses unpinned versions package.json uses caret-prefixed OZ versions: "@openzeppelin/contracts": "^3.4.0" and "@openzeppelin4/contracts": "npm:@openzeppelin/contracts@^4.9.2". Caret allows npm to resolve any compatible minor/patch upgrade. package-lock.json is present (provides effective pin at npm install time), but the package.json manifest itself does not pin to an exact version. This is the standard npm pattern but not best practice for security-critical Solidity libraries. Yellow (not red because package-lock.json mitigates; not green because manifest is unpinned). RD-F-135 yellow Shared-library version with known-vuln status OZ 3.4.0: GHSA-5vp3-v4hc-gx76 (UUPSUpgradeable critical) affects 4.1.0–4.3.2 only — 3.4.0 NOT affected. TimelockController vulns affect 3.x but RP does not use OZ TimelockController. OZ 4.9.2: CVE-2023-40014 (ERC2771Context) affects 4.0.0–4.9.2 — RP does NOT use ERC2771Context (confirmed by source inspection). Net: no known active critical CVE applicable to RP's specific usage patterns. Yellow (not green) because OZ 4.9.2 is a version with a known GHSA even though the specific vulnerability does not apply to RP's usage. RD-F-126 n/a Is-a-fork-of Rocket Pool is an original protocol — not a fork of any upstream protocol. Designed from scratch beginning in 2016. No fork attribution in GitHub README or protocol docs. All Cat 8 fork-lineage factors (F126–F132) are not applicable by construction. RD-F-127 n/a Upstream patch not merged No upstream fork parent — factor not applicable. Rocket Pool is an original protocol. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream fork parent — factor not applicable. Rocket Pool is an original protocol. RD-F-129 n/a Code divergence from upstream (%) No upstream fork parent — divergence measurement undefined. Factor not applicable. RD-F-130 n/a Fork depth (generations from original audit) No upstream fork — fork depth is 0 (original). Factor not applicable. RD-F-131 n/a Fork retains upstream audit coverage No upstream fork — all audit coverage is native to Rocket Pool. Factor not applicable. RD-F-132 n/a Fork has different economic parameters than upstream No upstream fork — no upstream economic parameters to compare against. Factor not applicable.

RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious-release advisory for @openzeppelin/contracts (any version) in the past 90 days. OZ is maintained by a reputable team with strong supply-chain security posture. No GHSA or npm advisory flagged for OZ 3.4.x or 4.9.x range in recent period.

Post-deploy hygiene & change mgmt Green 13 13 of 13

RD-F-136 yellow Deployed bytecode matches signed release tag GitHub release tags show v1.4 (February 9, 2026) is GPG-signed by Kane Wallmann (key BC9B3D573B470082) with Verified badge. Saturn One deployed February 18, 2026. However, commits continued through April 17, 2026 (post-deployment). Cannot confirm via RPC whether April commits are deployed or only development changes. Signed tag exists but post-tag commits create uncertainty. RD-F-139 yellow Post-audit code changes without re-audit Two documented instances of post-audit code drift: (1) Houston hotfix (RPIP-63, Oct 2024) addressed 3 Immunefi bounties; formal re-audit of hotfix changes not confirmed. (2) Saturn One (Feb 2026): Bailsec stated before deployment they 'cannot say with high-confidence that there are no critical issues left' and recommended another full audit; two open Bailsec items remained at launch. Sigma Prime completed fix sign-offs. Not red because: 3 audit firms engaged, extensive follow-up rounds, acknowledgment was public and transparent. RD-F-145 yellow Deployed bytecode reproducibility Build system is Hardhat (not Foundry). Source fully verified on Etherscan with compiler settings visible. No formal bytecode reproduction guide published by the team. Reproduction is possible in principle from Etherscan-verified source + Hardhat config, but no formal commitment or step-by-step guide exists. Foundry would provide deterministic builds; Hardhat is less standardized. RD-F-168 yellow Stale-approval exposure on deprecated router Multiple deprecated deposit pool versions exist (v1.0 at 0x4d05e3d4, v1.1 at 0x2cac916b, v1.2 at 0xDD3f50F8). Users who interacted with older versions may have residual ERC-20 token approvals to deprecated contracts. Rocket Pool has published protocol upgrade guidance but no formal revoke-notice or approval wind-down event documented. 4+ year protocol age with 3 major deposit pool versions makes material residual approvals likely. Cannot quantify without subgraph query. RD-F-142 gray Storage-layout collision risk across upgrades Architectural N/A. Rocket Pool uses a storage-registry pattern (RocketStorage key-value store) rather than EIP-1967 transparent proxies or UUPS. Individual contract replacements do not share storage slots. The traditional storage layout collision problem (OZ upgrades plugin domain) does not apply to this architecture. Each new contract reads/writes RocketStorage keys independently. RD-F-143 gray Reinitializable implementation (no _disableInitializers) Architectural N/A. Rocket Pool does not use standard transparent proxy or UUPS proxy patterns. Contracts are independent implementations registered in RocketStorage. No initialize() functions with initializer modifiers. No proxy upgrade path requiring _disableInitializers(). The storage-registry pattern makes this factor inapplicable by architecture. RD-F-185 gray Bridge rate-limiter / chain-pause as positive mitigant N/A. Rocket Pool is not a bridge protocol and has no bridge surface. has_bridge_surface=false per profile and data-cache. rETH exists on L2s via third-party canonical bridges operated by Optimism/Arbitrum/Base, not Rocket Pool. F185 (bridge rate-limiter/chain-pause) does not apply.

RD-F-137 green Upgrade frequency (per 90 days) Saturn One (February 18, 2026) is the only upgrade in the trailing 90 days from May 4, 2026 (75 days prior). 1 upgrade in 90 days falls in the green range (0-2). Houston Hotfix (October 2024) is outside the 90-day window. No other upgrades detected.

RD-F-138 green Hot-patch deploys without timelock (last 30 days) No upgrades to Rocket Pool contracts in the last 30 days (April 4 - May 4, 2026). Saturn One was February 18, 2026 (>30 days prior). The April 17, 2026 GitHub commits are test/branch fixes, not mainnet contract deployments. Zero hot-patches in last 30 days.

RD-F-140 green Fix-merged-but-not-deployed gap No documented case of a security-relevant PR merged but not deployed. April 17, 2026 commits (post-Saturn One) are test timing fixes and branch merges, not undeployed security fixes. No open security advisories in the GitHub repo. Protocol has no known unpatched vulnerabilities at assessment date.

RD-F-141 green Test-mode parameters in deploy No test-mode parameters identified in production deployment. Rocket Pool has operated in production since November 2021 with 5 major upgrades. Community upgrade verification (v1.4/Saturn One) raised no test-mode concerns. Parameters reviewed against RPIP specifications.

RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory with selfdestruct redeploy pattern identified in core Rocket Pool contracts. Minipool deployment uses standard factory pattern without CREATE2 + selfdestruct. No same-address redeploy vulnerability found.

RD-F-146 green New contract deploys in last 30 days No new contract deployments by Rocket Pool deployer addresses in the 30-day window April 4 - May 4, 2026. Saturn One was February 18, 2026 (>30 days prior). April 17, 2026 commits are test fixes and branch merges, not mainnet deployments. Zero new deploys in last 30 days.

Cross-chain & bridge Gray 0 12 of 12

Threat intelligence & recon Green 13 8 of 8

RD-F-161 yellow Protocol-impersonator domain registered (typosquat) F161 registration-date-to-assessment-date delta (explicit): Official domain rocketpool.net registered 2017-05-16; assessment date 2026-05-04; domain age = 8 years 11 months 18 days (long-established, no risk). Confirmed phishing domain: rocketpool-migrating.net used in January 2024 X account compromise attack. Delta from confirmed phishing domain creation (approx Jan 2024) to assessment (May 2026) = approximately 16 months — outside the strict 90-day factor window. However: (1) brand impersonation is an elevated risk for top-20 DeFi protocols; (2) prior confirmed campaign demonstrates active targeting; (3) domain monitoring not configured at T-10 so no 90-day confirmation available. Scored yellow: elevated brand-attack surface confirmed by prior event; no production monitoring to confirm or deny current 90-day registrations. RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Average attacker reconnaissance time for LST/staking class protocols. LST protocols have two primary attack vectors: (1) oracle manipulation (oDAO for Rocket Pool) — near-instant execution once exploiter controls submission; (2) social/brand attacks (X compromise, phishing) — hours of preparation. Jan 2024 X hack: executed same day as account compromise. Sep 2023 phishing: victim targeted via phishing sites; attack prep estimated days. The 2022 developer machine compromise (oDAO node access): attacker gained access and immediately exfiltrated ($28K ETH+RPL), suggesting near-instant execution post-access. Estimated recon time for RP class: 7–30 days for social engineering, near-instant for opportunistic phishing. Insufficient hack-DB sample for a full green (≥30 days average). RD-F-164 yellow Leaked credential on paste/sentry site Confirmed prior credential/machine compromise: May 26, 2022 security incident — attacker gained access to a Rocket Pool developer's machine, compromising two oDAO nodes, stealing $28K ETH+RPL. Post-mortem published June 2022. Team updated internal security practices post-incident. No paste-site or Sentry credential leak documented in current public data since 2022 remediation. However: (1) paste monitoring not configured at T-10; (2) the 2022 incident establishes that credential-level compromise of oDAO operators is a real attack vector for this protocol. Scored yellow: prior machine compromise documented; current exposure not confirmed but monitoring gap exists.

RD-F-158 green Known-threat-actor cluster has touched protocol No confirmed DPRK/Lazarus cluster interaction with Rocket Pool core contracts (RocketStorage 0x1d8f8f00..., rETH 0xae78736C...) identified in available public data. LST protocols are not primary Lazarus laundering venues (Beacon Chain exit delays impede rapid liquidation compared to DEXes/bridges). Bybit 2025 ($1.5B DPRK theft) was laundered via DEX aggregators and bridges, not LST protocols. No OFAC-sanctioned address interaction with Rocket Pool documented. Signal not firing; CTI feed required for full production confirmation.

RD-F-159 green Attacker wallet pre-strike probe (low-gas failing txs) No documented pre-strike probe pattern (low-gas failing transactions from CTI-flagged wallets) against Rocket Pool core contracts. Yearn rekt3 (Apr 2023) noted unusual LST movements adjacent to Rocket Pool before that exploit, but this was attacker assets moving through the ecosystem, not reconnaissance targeting RP contracts. Mempool and CTI feed required for production deployment. Signal not firing based on available public evidence.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps No active GHSA/npm security advisory confirmed against Rocket Pool's specific dependency tree. OpenZeppelin v3.4.0 (vintage 2021, per data-cache) should be assessed by code-security-analyst (Cat 8 F135). No malicious-release advisory for npm packages consumed by Rocket Pool documented in public data at T-10. Scored green pending code-security-analyst Cat 8 cross-check.

RD-F-162 green Known-exploit-template selector deployed by any address No documented deployment of exploit-template-matching contracts targeting Rocket Pool contract class. Rocket Pool uses unique custom contracts (RocketStorage registry pattern, oDAO committee) not derived from common Compound/Aave fork templates, reducing exploit-template-replay surface. No hack-database entry for RP-specific exploit templates. Selector-pattern index not maintained at T-10.

RD-F-165 green Protocol social channel has scam-coordinator flag No scam-coordinator confirmed in Rocket Pool official channel admin positions. January 2024 X account compromise was recovered within ~35 minutes via prompt team response and cross-channel communication. The compromise was of the @Rocket_Pool X account itself, not an infiltration of Discord/Telegram admin. No ScamSniffer or Chainabuse records confirmed for Rocket Pool Discord or governance forum admin as scam coordinators. Official Discord (discord.gg/rocketpool), X (@Rocket_Pool), and governance forum (dao.rocketpool.net) appear to have clean admin status as of assessment date.

Tooling / compiler / AI Yellow 33 5 of 5

RD-F-174 red Dependency tree uses EOL Solidity version Solidity 0.7.6 (released December 16, 2020) is the compiler for all core protocol contracts including rETH, RocketStorage, RocketBase, and all pre-Saturn One contracts. Solidity only provides security fixes to the latest release branch (0.8.x series); version 0.7.x is de facto EOL — no new security patches are applied. 0.7.6 is over 5 years old at assessment date. Saturn One contracts use 0.8.30 (current/supported). Core protocol TVL-bearing contracts are on an unsupported EOL compiler version. RD-F-170 yellow Solc version used (known-bug versions flagged) Two Solidity versions in production. (1) 0.7.6: used for all pre-Saturn core contracts (rETH, RocketStorage, RocketBase, etc.). Active known bug: DirtyBytesArrayToStorage (low severity, affects 0.0.1–0.8.15). Compiler is unsupported (de facto EOL — see F174). (2) 0.8.30: used for Saturn One megapool contracts. Active known bugs: TransientStorageClearingHelperCollision (HIGH severity, 0.8.28–0.8.34) — requires clearing both storage AND transient storage; Rocket Pool megapool contracts DO NOT use transient storage (confirmed by source inspection), so this bug is non-applicable to deployed code. LostStorageArrayWriteOnSlotOverflow (low). Yellow: 0.7.6 has a low-severity bug and is unsupported; 0.8.30 has a high-severity bug in the compiler but triggering conditions are absent. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Rocket Pool is an original protocol with no audited upstream to compare bytecode against. Bytecode similarity measurement requires an audited upstream; this factor is not applicable to original protocols.

RD-F-172 green Repo shows AI-tool co-authorship in critical files GitHub API commit history for contracts directory (Jan 2026 onward) shows all commits authored solely by Kane Wallmann (kane@rocketpool.net) with valid PGP signatures. No AI co-authorship metadata (Co-authored-by: copilot, Co-authored-by: github-actions[bot], etc.) found. No AI tool disclosures in commit messages.

RD-F-173 green Team self-disclosure of AI-generated Solidity No team disclosure of AI-generated Solidity found. Web search for 'Rocket Pool AI OR copilot OR ChatGPT code generated Solidity 2024 2025' returned no results connecting RP to AI-generated contract code. No AI disclosure in Medium blog, governance forum, or GitHub README.

Response & disclosure hygiene Yellow 33 4 of 4

RD-F-176 red Disclosure SLA public No acknowledgment-time SLA (e.g., '72h ack') found in Immunefi program page, governance forum, or rocketpool.net. Bug bounty program update (Feb 2026) covers payout tiers only, not SLA. Immunefi program description references platform rules but no acknowledgment timeline. Methodology: red = no SLA published. RD-F-175 yellow Disclosure channel exists Active Immunefi bug bounty program exists (last updated March 31, 2026, 77 assets in scope, active since September 2021). No SECURITY.md in the primary repo (data-cache security_md_present: false; 404 confirmed). No dedicated security@ email. rocketpool.net/protocol/security page returns only a basic description with no disclosure content. Immunefi is the sole documented disclosure channel. No evidence of active monitoring beyond Immunefi (no disclosed payout history publicly archived). Yellow: channel exists but no active-monitoring evidence in last 12 months.

RD-F-177 green Prior known-ignored disclosure No evidence of any disclosed vulnerability that was reported to the team and not actioned before exploitation. RPIP-63 (Oct 2024) patched three Immunefi bounties (2 high, 1 medium) before any fund loss. Pre-launch Beacon Chain staking bug (Oct 2021) was disclosed to rival staking providers and fixed before mainnet launch — a positive proactive-disclosure indicator. No post-mortem or external write-up documents an ignored disclosure. Score: green.

RD-F-178 green CVE/GHSA advisory issued against protocol GitHub Advisory Database search for 'rocket-pool' returns only Rocket.Chat CVEs (GHSA-72hv-vf28-v4jh, GHSA-4w54-c3hg-qqrv, GHSA-779j-v68w-458w) — these are for Rocket.Chat, an unrelated messaging product. No CVE or GHSA advisory issued against the Rocket Pool Ethereum liquid staking protocol's smart contracts or smartnode software. Score: green = no advisory.

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol rocket-pool